[kernel] r6610 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: patches patches/series

Dann Frazier dannf at costa.debian.org
Fri May 19 22:52:07 UTC 2006 

Author: dannf
Date: Fri May 19 22:52:06 2006
New Revision: 6610

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/211_usb-gadget-rndis-bufoverflow.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3

Log:
* 211_usb-gadget-rndis-bufoverflow.diff
  [SECURITY] Fix buffer overflow in the USB Gadget RNDIS implementation that
  allows for a remote DoS attack (kmalloc'd memory corruption)
  See CVE-2006-1368

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Fri May 19 22:52:06 2006
@@ -16,8 +16,12 @@
     [SECURITY] Fix vulnerability that allows remote attackers to conduct an
     Idle Scan attack, bypassing intended protections against such attacks
     See CVE-2006-1242
+  * 211_usb-gadget-rndis-bufoverflow.diff
+    [SECURITY] Fix buffer overflow in the USB Gadget RNDIS implementation that
+    allows for a remote DoS attack (kmalloc'd memory corruption)
+    See CVE-2006-1368
 
- -- dann frazier <dannf at debian.org>  Fri, 19 May 2006 17:17:39 -0500
+ -- dann frazier <dannf at debian.org>  Fri, 19 May 2006 17:51:10 -0500
 
 kernel-source-2.4.27 (2.4.27-10sarge2) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/211_usb-gadget-rndis-bufoverflow.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/211_usb-gadget-rndis-bufoverflow.diff	Fri May 19 22:52:06 2006
@@ -0,0 +1,42 @@
+Fix for CVE-2006-1368.
+
+Signed-off-by: Troy Heber <troyh at debian.org>
+
+diff-tree 8763716bfe4d8a16bef28c9947cf9d799b1796a5 (from d5ec33490c67affef93aebf76e1238260c82d377)
+Author: Shaun Tancheff <shaun at tancheff.com>
+Date:   Wed Feb 22 19:47:19 2006 -0800
+
+    [PATCH] USB: Gadget RNDIS fix alloc bug. (buffer overflow)
+    
+    Remote NDIS response to OID_GEN_SUPPORTED_LIST only allocated space
+    for the data attached to the reply, and not the reply structure
+    itself. This caused other kmalloc'd memory to be corrupted.
+    
+    Signed-off-by: Shaun Tancheff <shaun at tancheff.com>
+    Signed-off-by: David Brownell <dbrownell at users.sourceforge.net>
+    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff -urN kernel-source-2.6.8.orig/drivers/usb/gadget/rndis.c 2.6/drivers/usb/gadget/rndis.c
+--- kernel-source-2.6.8.orig/drivers/usb/gadget/rndis.c	2004-08-13 23:36:13.000000000 -0600
++++ 2.6/drivers/usb/gadget/rndis.c	2006-05-18 12:10:41.000000000 -0600
+@@ -853,12 +853,15 @@
+ 	// DEBUG("%s: OID = %08X\n", __FUNCTION__, cpu_to_le32(buf->OID));
+ 	if (!rndis_per_dev_params [configNr].dev) return -ENOTSUPP;
+ 	
+-	/* 
+-	 * we need more memory: 
+-	 * oid_supported_list is the largest answer 
+-	 */
+-	r = rndis_add_response (configNr, sizeof (oid_supported_list));
+-	
++	/*
++	 * we need more memory:
++	 * gen_ndis_query_resp expects enough space for
++	 * rndis_query_cmplt_type followed by data.
++	 * oid_supported_list is the largest data reply
++ 	 */
++	r = rndis_add_response (configNr,
++		sizeof (oid_supported_list) + sizeof(rndis_query_cmplt_type));
++
+ 	if (!r) return -ENOMEM;
+ 	resp = (rndis_query_cmplt_type *) r->buf;

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3	Fri May 19 22:52:06 2006
@@ -2,3 +2,4 @@
 + 208_ia64-die_if_kernel-returns.diff
 + 209_sctp-discard-unexpected-in-closed.diff
 + 210_ipv4-id-no-increment.diff
++ 211_usb-gadget-rndis-bufoverflow.diff

More information about the Kernel-svn-changes mailing list